I have a search string like below:
index=qrp STAGE IN (ORDER_EVENT)
| bucket _time span=1h
| timechart useother=f span=1h sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE
| fillnull value=0
And this is currently giving me aggregates of trades for multiple source systems from the stage table Trade event in a tabular format for every hour of the day.
I need to search exactly for the time frame 8am every day, whether the value of sun of trade for all source systems in the table is equal to zero. How to add the condition to check the column value is Zero or not?
Your help is much appreciated.
You can use the where command to test the value of a field.
... | where TradeCount == 0
Related
2020-12-07 23:57:10,160 INFO [+] Number of fetched Availability to publish to Gcp PubSub topic. [ClassUnitKey=BU-STO-460] [NumberOfMessages=95] , [bsName="BsRunBatch"], [userId="S-OLB-U-ITSEELM"], [userIdRegion="EU"]
As the above splunk log message , How to find the sum of [NumberOfMessages=95] field value in a hourly basis. I have written as below
| timechart span=1h sum(NumberofMessages)
Its not giving the desired result. The below result i got
try this:
| bin _time span=1h | stats sum(NumberofMessages) by _time
timechart can overwrite your span depending on your time window
The use-case I have is to provide the count of a certain error (searched by a certain pattern) by day and provide a percentage of such 'errored' requests against the total number of requests (searched without the error pattern) handled every day. Unable to form the appropriate query for it. The base queries are -
Get total counts for each day:
index=my_index | bucket _time span=day | stats count by _time
Get just errors for each day:
index=my_index "Error-Search-Pattern" | bucket _time span=day | stats count by _time
How do I combine the two counts to show up side-by-side and show the error:total percentage?
Thanks in advance.
Try this
index=my_index
| eval error=if(match(_raw,".*Error-Search-Pattern.*"), 1, 0)
| bucket _time span=1d
| stats count as total, count(eval(error==1)) as errored by _time
I have splunk logs which will give the ExpiryDate in search result based on the value of the result, need to configure an alert before the 10days of expirydate
Splunk result will be
Expiry Date: 12-28-2019
Thanks in Advance
Assuming ExpiryDate is in the text format you show, this should do it. If it's in epoch form then you can omit the strptime command.
<your current search> | eval eExpiryDate=strptime(ExpiryDate, "%m-%d-%Y")
| eval sevenDaysHence=relative_time(now(), "+7d")
| where eExpiryDate < sevenDaysHence
I currently have a query that aggregates events over the last hour, and alerts my team if events are over a specific threshold. The query was recently accidentally disabled, and it turns out there were times when the alert should have fired but did not.
My goal is apply this alert query logic to the previous month, and determine how many times the alert would have fired, had it been functional. However, I am having a hard time figuring out how best to group these. In pseudo code I basically I would have (running over a 30 day time frame) :
index="some_index" | where count > n | group by hour
Hopefully this makes sense, if not, I am happy to provide some clarification.
Thanks in advance
This should get you started:
index=foo | bin span=1h _time | stats count by _time | where count > n
One of the things I'm using Splunk to monitor is electricity usage, one of the fields indexed is the accumulative Kw value for the day, how can I get the last value for the day for a given timespan? So output the total Kw for each day for a month - I've tried using
host=Electricity earliest=-4w#w1 latest=+w#w1 | timechart last(live_day_kw) as Kw
but for the data I have it seems to be adding each day together so its increasing day on day and not daily values, so for example day1 is 7kw and day2 is 14kw and day3 is 21kw - I'd expect it to be ~7kw a day. Also just checked and the live_day_kw value does reset to zero at midnight
Not quite sure of what you're looking for, but maybe this will help.
host=Electricity earliest=-4w#w1 latest=+w#w1 | timechart span=1d last(live_day_kw) as Kw
For the benefit of those looking for the same solution I managed to solve it thus:
host=Electricity earliest=-4w#w1 | timechart latest(live_day_kw) as "Kw_Day" | eval Kw_Day = round(Kw_Day,2)
Also needed the search set to 'month to date' and it get exactly what I needed.